File Coverage

lib/ThreatDetector/Handlers/HeaderAbuse.pm

Criterion	Covered	Total	%
statement	21	21	100.0
branch	1	2	50.0
condition	2	2	100.0
subroutine	7	7	100.0
pod	0	2	0.0
total	31	34	91.1

line	stmt	bran	cond	sub	pod	time	code
1							package ThreatDetector::Handlers::HeaderAbuse;
2
3	2			2		143447	use strict;
	2					6
	2					85
4	2			2		11	use warnings;
	2					9
	2					168
5	2			2		18	use Exporter 'import';
	2					3
	2					105
6	2			2		769	use JSON;
	2					16967
	2					22
7	2			2		373	use Time::HiRes qw(gettimeofday);
	2					11
	2					20
8
9							our $VERBOSE = 0;
10							our @EXPORT_OK = qw(handle_header_abuse get_header_abuse_events);
11							our @HEADER_ABUSE_EVENTS;
12							our $VERSION = '0.04';
13
14							sub handle_header_abuse {
15	2			2	0	227086	my ($entry) = @_;
16	2					9	my ($sec, $micro) = gettimeofday();
17
18							my $alert = {
19							timestamp => "$sec.$micro",
20							type => 'header_abuse',
21							ip => $entry->{ip},
22							method => $entry->{method},
23							uri => $entry->{uri},
24							status => $entry->{status},
25							user_agent => $entry->{user_agent},
26	2		100			28	referer => $entry->{referer} \|\| '',
27							};
28	2					9	push @HEADER_ABUSE_EVENTS, $alert;
29	2	50				9	print encode_json($alert) . "\n" if $VERBOSE;
30							}
31
32							sub get_header_abuse_events {
33	1			1	0	24	return @HEADER_ABUSE_EVENTS;
34							}
35
36							1;
37
38							=head1 NAME
39
40							ThreatDetector::Handlers::HeaderAbuse - Handler for suspicious or abusive HTTP headers
41
42							=head1 SYNOPSIS
43
44							use ThreatDetector::Handlers::HeaderAbuse qw(handle_header_abuse);
45
46							handle_header_abuse($entry);
47
48							=head1 DESCRIPTION
49
50							Prints a JSON alert when a log entry contains suspicious or abusive header values — typically malformed, spoofed, empty, or disallowed User-Agent or Referer headers. This can be indicative of scraping tools, fuzzers, or manual tampering.
51
52							=head1 AUTHOR
53
54							Jason Hall
55
56							=cut